1 | |
---|
2 | |
---|
3 | |
---|
4 | Frequently Asked Questions about BIND 9 |
---|
5 | |
---|
6 | |
---|
7 | Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads? |
---|
8 | |
---|
9 | A: Linux threads do not fully implement the Posix threads (pthreads) standard. |
---|
10 | In particular, setuid() operates only on the current thread, not the full |
---|
11 | process. Because of this limitation, BIND 9 cannot use setuid() on Linux as it |
---|
12 | can on all other supported platforms. setuid() cannot be called before |
---|
13 | creating threads, since the server does not start listening on reserved ports |
---|
14 | until after threads have started. |
---|
15 | |
---|
16 | In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve |
---|
17 | capabilities across a setuid() call is present. This allows BIND 9 to call |
---|
18 | setuid() early, while retaining the ability to bind reserved ports. This is |
---|
19 | a Linux-specific hack. |
---|
20 | |
---|
21 | On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less |
---|
22 | of a security risk than a root process that has not dropped privileges. |
---|
23 | |
---|
24 | If Linux threads ever work correctly, this restriction will go away. |
---|
25 | |
---|
26 | Configuring BIND9 with the --disable-threads option (the default) causes a |
---|
27 | non-threaded version to be built, which will allow -u to be used. |
---|
28 | |
---|
29 | |
---|
30 | Q: Why does named log the warning message "no TTL specified - using SOA |
---|
31 | MINTTL instead"? |
---|
32 | |
---|
33 | A: Your zone file is illegal according to RFC1035. It must either |
---|
34 | have a line like |
---|
35 | |
---|
36 | $TTL 86400 |
---|
37 | |
---|
38 | at the beginning, or the first record in it must have a TTL field, |
---|
39 | like the "84600" in this example: |
---|
40 | |
---|
41 | example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 ) |
---|
42 | |
---|
43 | Q: Why do I see 5 (or more) copies of named on Linux? |
---|
44 | |
---|
45 | A: Linux threads each show up as a process under ps. The approximate |
---|
46 | number of threads running is n+4, where n is the number of CPUs. Note that |
---|
47 | the amount of memory used is not cumulative; if each process is using 10M of |
---|
48 | memory, only a total of 10M is used. |
---|
49 | |
---|
50 | |
---|
51 | Q: Why does BIND 9 log "permission denied" errors accessing its |
---|
52 | configuration files or zones on my Linux system even though it is running |
---|
53 | as root? |
---|
54 | |
---|
55 | A: On Linux, BIND 9 drops most of its root privileges on startup. |
---|
56 | This including the privilege to open files owned by other users. |
---|
57 | Therefore, if the server is running as root, the configuration files |
---|
58 | and zone files should also be owned by root. |
---|
59 | |
---|
60 | |
---|
61 | Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file |
---|
62 | bar: ran out of space" |
---|
63 | |
---|
64 | A: This is often caused by TXT records with missing close quotes. Check that |
---|
65 | all TXT records containing quoted strings have both open and close quotes. |
---|
66 | |
---|
67 | |
---|
68 | Q: How do I produce a usable core file from a multithreaded named on Linux? |
---|
69 | |
---|
70 | A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps |
---|
71 | are usable (that is, the correct thread is dumped). Otherwise, if using |
---|
72 | a 2.2 kernel, apply the kernel patch found in contrib/linux/coredump-patch |
---|
73 | and rebuild the kernel. This patch will cause multithreaded programs to dump |
---|
74 | the correct thread. |
---|
75 | |
---|
76 | |
---|
77 | Q: How do I restrict people from looking up the server version? |
---|
78 | |
---|
79 | A: Put a "version" option containing something other than the real |
---|
80 | version in the "options" section of named.conf. Note doing this will |
---|
81 | not prevent attacks and may impede people trying to diagnose problems |
---|
82 | with your server. Also it is possible to "fingerprint" nameservers to |
---|
83 | determine their version. |
---|
84 | |
---|
85 | |
---|
86 | Q: How do I restrict only remote users from looking up the server |
---|
87 | version? |
---|
88 | |
---|
89 | A: The following view statement will intercept lookups as the internal |
---|
90 | view that holds the version information will be matched last. The |
---|
91 | caveats of the previous answer still apply, of course. |
---|
92 | |
---|
93 | view "chaos" chaos { |
---|
94 | match-clients { <those to be refused>; }; |
---|
95 | allow-query { none; }; |
---|
96 | zone "." { |
---|
97 | type hint; |
---|
98 | file "/dev/null"; // or any empty file |
---|
99 | }; |
---|
100 | }; |
---|
101 | |
---|
102 | |
---|
103 | Q: What do "no source of entropy found" or "could not open entropy source foo" |
---|
104 | mean? |
---|
105 | |
---|
106 | A: The server requires a source of entropy to perform certain operations, |
---|
107 | mostly DNSSEC related. These messages indicate that you have no source |
---|
108 | of entropy. On systems with /dev/random or an equivalent, it is used by |
---|
109 | default. A source of entropy can also be defined using the random-device |
---|
110 | option in named.conf. |
---|
111 | |
---|
112 | |
---|
113 | Q: I installed BIND 9 and restarted named, but it's still BIND 8. Why? |
---|
114 | |
---|
115 | A: BIND 9 is installed under /usr/local by default. BIND 8 is often |
---|
116 | installed under /usr. Check that the correct named is running. |
---|
117 | |
---|
118 | |
---|
119 | Q: I'm trying to use TSIG to authenticate dynamic updates or zone |
---|
120 | transfers. I'm sure I have the keys set up correctly, but the server |
---|
121 | is rejecting the TSIG. Why? |
---|
122 | |
---|
123 | A: This may be a clock skew problem. Check that the the clocks on |
---|
124 | the client and server are properly synchronized (e.g., using ntp). |
---|
125 | |
---|
126 | |
---|
127 | Q: I'm trying to compile BIND 9, and "make" is failing due to files not |
---|
128 | being found. Why? |
---|
129 | |
---|
130 | A: Using a parallel or distributed "make" to build BIND 9 is not |
---|
131 | supported, and doesn't work. If you are using one of these, use |
---|
132 | normal make or gmake instead. |
---|
133 | |
---|
134 | |
---|
135 | Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is |
---|
136 | logging error messages like "notify to 10.0.0.1#53 failed: unexpected |
---|
137 | end of input". What's wrong? |
---|
138 | |
---|
139 | A: This error message is caused by a known bug in BIND 8.2.3 and is fixed |
---|
140 | in BIND 8.2.4. It can be safely ignored - the notify has been acted on by |
---|
141 | the slave despite the error message. |
---|
142 | |
---|
143 | |
---|
144 | Q: I keep getting log messages like the following. Why? |
---|
145 | |
---|
146 | Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': |
---|
147 | update failed: 'RRset exists (value dependent)' prerequisite not |
---|
148 | satisfied (NXRRSET) |
---|
149 | |
---|
150 | A: DNS updates allow the update request to test to see if certain |
---|
151 | conditions are met prior to proceeding with the update. The message |
---|
152 | above is saying that conditions were not met and the update is not |
---|
153 | proceeding. See doc/rfc/rfc2136.txt for more details on prerequisites. |
---|
154 | |
---|
155 | |
---|
156 | Q: I keep getting log messages like the following. Why? |
---|
157 | |
---|
158 | Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied |
---|
159 | |
---|
160 | A: Someone is trying to update your DNS data using the RFC2136 Dynamic |
---|
161 | Update protocol. Windows 2000 machines have a habit of sending dynamic |
---|
162 | update requests to DNS servers without being specifically configured to |
---|
163 | do so. If the update requests are coming from a Windows 2000 machine, |
---|
164 | see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp> |
---|
165 | for information about how to turn them off. |
---|
166 | |
---|
167 | |
---|
168 | Q: I see a log message like the following. Why? |
---|
169 | |
---|
170 | couldn't open pid file '/var/run/named.pid': Permission denied |
---|
171 | |
---|
172 | A: You are most likely running named as a non-root user, and that user |
---|
173 | does not have permission to write in /var/run. The common ways of |
---|
174 | fixing this are to create a /var/run/named directory owned by the named |
---|
175 | user and set pid-file to "/var/run/named/named.pid", or set |
---|
176 | pid-file to "named.pid", which will put the file in the directory |
---|
177 | specified by the directory option (which, in this case, must be writable |
---|
178 | by the named user). |
---|
179 | |
---|
180 | |
---|
181 | Q: When I do a "dig . ns", many of the A records for the root |
---|
182 | servers are missing. Why? |
---|
183 | |
---|
184 | A: This is normal and harmless. It is a somewhat confusing side effect |
---|
185 | of the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 |
---|
186 | makes to avoid promoting glue into answers. |
---|
187 | |
---|
188 | When BIND 9 first starts up and primes its cache, it receives the root |
---|
189 | server addresses as additional data in an authoritative response from |
---|
190 | a root server, and these records are eligible for inclusion as |
---|
191 | additional data in responses. Subsequently it receives a subset of |
---|
192 | the root server addresses as additional data in a non-authoritative |
---|
193 | (referral) response from a root server. This causes the addresses to |
---|
194 | now be considered non-authoritative (glue) data, which is not eligible |
---|
195 | for inclusion in responses. |
---|
196 | |
---|
197 | The server does have a complete set of root server addresses cached |
---|
198 | at all times, it just may not include all of them as additional data, |
---|
199 | depending on whether they were last received as answers or as glue. |
---|
200 | You can always look up the addresses with explicit queries like |
---|
201 | "dig a.root-servers.net A". |
---|
202 | |
---|
203 | |
---|
204 | Q: Zone transfers from my BIND 9 master to my Windows 2000 slave |
---|
205 | fail. Why? |
---|
206 | |
---|
207 | A: This may be caused by a bug in the Windows 2000 DNS server where |
---|
208 | DNS messages larger than 16K are not handled properly. This can be |
---|
209 | worked around by setting the option "transfer-format one-answer;". |
---|
210 | Also check whether your zone contains domain names with embedded |
---|
211 | spaces or other special characters, like "John\032Doe\213s\032Computer", |
---|
212 | since such names have been known to cause Windows 2000 slaves to |
---|
213 | incorrectly reject the zone. |
---|
214 | |
---|
215 | |
---|
216 | Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP? |
---|
217 | |
---|
218 | A: A zone can be updated either by editing zone files and reloading |
---|
219 | the server or by dynamic update, but not both. If you have enabled |
---|
220 | dynamic update for a zone using the "allow-update" option, you are not |
---|
221 | supposed to edit the zone file by hand, and the server will not |
---|
222 | attempt to reload it. |
---|
223 | |
---|
224 | |
---|
225 | Q: I can query the nameserver from the nameserver but not from other |
---|
226 | machines. Why? |
---|
227 | |
---|
228 | A: This is usually the result of the firewall configuration stopping |
---|
229 | the queries and / or the replies. |
---|
230 | |
---|
231 | |
---|
232 | Q: How can I make a server a slave for both an internal and |
---|
233 | an external view at the same time? When I tried, both views |
---|
234 | on the slave were transferred from the same view on the master. |
---|
235 | |
---|
236 | A: You will need to give the master and slave multiple IP addresses and |
---|
237 | use those to make sure you reach the correct view on the other machine. |
---|
238 | |
---|
239 | e.g. |
---|
240 | Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias) |
---|
241 | internal: |
---|
242 | match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; |
---|
243 | notify-source 10.0.1.1; |
---|
244 | transfer-source 10.0.1.1; |
---|
245 | query-source address 10.0.1.1; |
---|
246 | external: |
---|
247 | match-clients { any; }; |
---|
248 | recursion no; // don't offer recursion to the world |
---|
249 | notify-source 10.0.1.2; |
---|
250 | transfer-source 10.0.1.2; |
---|
251 | query-source address 10.0.1.2; |
---|
252 | |
---|
253 | Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias) |
---|
254 | internal: |
---|
255 | match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; |
---|
256 | notify-source 10.0.1.3; |
---|
257 | transfer-source 10.0.1.3; |
---|
258 | query-source address 10.0.1.3; |
---|
259 | external: |
---|
260 | match-clients { any; }; |
---|
261 | recursion no; // don't offer recursion to the world |
---|
262 | notify-source 10.0.1.4; |
---|
263 | transfer-source 10.0.1.4; |
---|
264 | query-source address 10.0.1.4; |
---|
265 | |
---|
266 | You put the external address on the alias so that all the other |
---|
267 | dns clients on these boxes see the internal view by default. |
---|
268 | |
---|
269 | A: (BIND 9.3 and later) Use TSIG to select the appropriate view. |
---|
270 | |
---|
271 | Master 10.0.1.1: |
---|
272 | key "external" { |
---|
273 | algorithm hmac-md5; |
---|
274 | secret "xxxxxxxx"; |
---|
275 | }; |
---|
276 | view "internal" { |
---|
277 | match-clients { !key external; 10.0.1/24; }; |
---|
278 | ... |
---|
279 | }; |
---|
280 | view "external" { |
---|
281 | match-clients { key external; any; }; |
---|
282 | server 10.0.0.2 { keys external; }; |
---|
283 | recursion no; |
---|
284 | ... |
---|
285 | }; |
---|
286 | |
---|
287 | Slave 10.0.1.2: |
---|
288 | key "external" { |
---|
289 | algorithm hmac-md5; |
---|
290 | secret "xxxxxxxx"; |
---|
291 | }; |
---|
292 | view "internal" { |
---|
293 | match-clients { !key external; 10.0.1/24; }; |
---|
294 | }; |
---|
295 | view "external" { |
---|
296 | match-clients { key external; any; }; |
---|
297 | server 10.0.0.1 { keys external; }; |
---|
298 | recursion no; |
---|
299 | ... |
---|
300 | }; |
---|
301 | |
---|
302 | |
---|
303 | Q: I have Freebsd 4.x and "rndc-confgen -a" just sits there. |
---|
304 | |
---|
305 | A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel |
---|
306 | to use certain interrupts as a source of random events. You can make this |
---|
307 | permanent by setting rand_irqs in /etc/rc.conf. |
---|
308 | |
---|
309 | e.g. |
---|
310 | /etc/rc.conf |
---|
311 | rand_irqs="3 14 15" |
---|
312 | |
---|
313 | See also http://people.freebsd.org/~dougb/randomness.html |
---|
314 | |
---|
315 | |
---|
316 | Q: Why is named listening on UDP port other than 53? |
---|
317 | |
---|
318 | A: Named uses a system selected port to make queries of other nameservers. |
---|
319 | This behaviour can be overridden by using query-source to lock down the |
---|
320 | port and/or address. See also notify-source and transfer-source. |
---|
321 | |
---|
322 | |
---|
323 | Q: I get error messages like "multiple RRs of singleton type" and |
---|
324 | "CNAME and other data" when transferring a zone. What does this mean? |
---|
325 | |
---|
326 | A: These indicate a malformed master zone. You can identify the |
---|
327 | exact records involved by transferring the zone using dig then |
---|
328 | running named-checkzone on it. |
---|
329 | |
---|
330 | e.g. |
---|
331 | dig axfr example.com @master-server > tmp |
---|
332 | named-checkzone example.com tmp |
---|
333 | |
---|
334 | |
---|
335 | Q: I get error messages like "named.conf:99: unexpected end of input" where |
---|
336 | 99 is the last line of named.conf. |
---|
337 | |
---|
338 | A: Some text editors (notepad and wordpad) fail to put a line termination |
---|
339 | indication (e.g. CR/LF) on the last line of a text file. This can be fixed |
---|
340 | by "adding" a blank line to the end of the file. Named expects to see EOF |
---|
341 | immediately after EOL and treats text files where this is not met as truncated. |
---|
342 | |
---|
343 | |
---|
344 | Q: I get warning messages like "zone example.com/IN: refresh: failure trying master |
---|
345 | 1.2.3.4#53: timed out". |
---|
346 | |
---|
347 | A: Check that you can make UDP queries from the slave to the master |
---|
348 | |
---|
349 | dig +norec example.com soa @1.2.3.4 |
---|
350 | |
---|
351 | A: You could be generating queries faster than the slave can cope with. Lower |
---|
352 | the serial query rate. |
---|
353 | |
---|
354 | serial-query-rate 5; // default 20 |
---|
355 | |
---|
356 | Q: How do I share a dynamic zone between multiple views? |
---|
357 | |
---|
358 | A: You choose one view to be master and the second a slave and transfer |
---|
359 | the zone between views. |
---|
360 | |
---|
361 | Master 10.0.1.1: |
---|
362 | key "external" { |
---|
363 | algorithm hmac-md5; |
---|
364 | secret "xxxxxxxx"; |
---|
365 | }; |
---|
366 | |
---|
367 | key "mykey" { |
---|
368 | algorithm hmac-md5; |
---|
369 | secret "yyyyyyyy"; |
---|
370 | }; |
---|
371 | |
---|
372 | view "internal" { |
---|
373 | match-clients { !external; 10.0.1/24; }; |
---|
374 | server 10.0.1.1 { |
---|
375 | /* Deliver notify messages to external view. */ |
---|
376 | keys { external; }; |
---|
377 | }; |
---|
378 | zone "example.com" { |
---|
379 | type master; |
---|
380 | file "internal/example.db"; |
---|
381 | allow-update { key mykey; }; |
---|
382 | notify-also { 10.0.1.1; }; |
---|
383 | }; |
---|
384 | }; |
---|
385 | |
---|
386 | view "external" { |
---|
387 | match-clients { external; any; }; |
---|
388 | zone "example.com" { |
---|
389 | type slave; |
---|
390 | file "external/example.db"; |
---|
391 | masters { 10.0.1.1; }; |
---|
392 | transfer-source { 10.0.1.1; }; |
---|
393 | // allow-update-forwarding { any; }; |
---|
394 | // allow-notify { ... }; |
---|
395 | }; |
---|
396 | }; |
---|
397 | |
---|
398 | Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master |
---|
399 | file primaries/wireless.ietf56.ietf.org: no owner". |
---|
400 | |
---|
401 | A: This error is produced when a line in the master file contains leading |
---|
402 | white space (tab/space) but the is no current record owner name to inherit |
---|
403 | the name from. Usually this is the result of putting white space before |
---|
404 | a comment. Forgeting the "@" for the SOA record or indenting the master |
---|
405 | file. |
---|
406 | |
---|
407 | |
---|
408 | Q: Why are my logs in GMT (UTC). |
---|
409 | |
---|
410 | A: You are running chrooted (-t) and have not supplied local timzone |
---|
411 | information in the chroot area. |
---|
412 | |
---|
413 | FreeBSD: /etc/localtime |
---|
414 | Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo |
---|
415 | OSF: /etc/zoneinfo/localtime |
---|
416 | |
---|
417 | See also tzset(3) and zic(8). |
---|
418 | |
---|
419 | |
---|
420 | Q: I get the error message "named: capset failed: Operation not permitted" |
---|
421 | when starting named. |
---|
422 | |
---|
423 | A: The capset module has not been loaded into the kernel. See insmod(8). |
---|
424 | |
---|
425 | |
---|
426 | Q: I get "rndc: connect failed: connection refused" when I try to run |
---|
427 | rndc. |
---|
428 | |
---|
429 | A: This is usually a configuration error. |
---|
430 | |
---|
431 | First ensure that named is running and no errors are being |
---|
432 | reported at startup (/var/log/messages or equivalent). Running |
---|
433 | "named -g <usual arguements>" from a terminal can help at this |
---|
434 | point. |
---|
435 | |
---|
436 | Secondly ensure that named is configured to use rndc either by |
---|
437 | "rndc-confgen -a", rndc-confgen or manually. The Administators |
---|
438 | Reference manual has details on how to do this. |
---|
439 | |
---|
440 | Old versions of rndc-confgen used localhost rather than 127.0.0.1 |
---|
441 | in /etc/rndc.conf for the default server. Update /etc/rndc.conf |
---|
442 | if necessary so that the default server listed in /etc/rndc.conf |
---|
443 | matches the addresses used in named.conf. "localhost" has two |
---|
444 | address (127.0.0.1 and ::1). |
---|
445 | |
---|
446 | If you use "rndc-confgen -a" and named is running with -t or -u |
---|
447 | ensure that /etc/rndc.conf has the correct ownership and that |
---|
448 | a copy is in the chroot area. You can do this by re-running |
---|
449 | "rndc-confgen -a" with appropriate -t and -u arguements. |
---|
450 | |
---|
451 | |
---|
452 | Q: I don't get RRSIG's returned when I use "dig +dnssec". |
---|
453 | |
---|
454 | A: You need to ensure DNSSEC is enabled (dnssec-enable yes;). |
---|
455 | |
---|
456 | |
---|
457 | Q: I get "Error 1067" when starting named under Windows. |
---|
458 | |
---|
459 | A: This is the service manager saying that named exited. You need to |
---|
460 | examine the Application log in the EventViewer to find out why. |
---|
461 | |
---|
462 | Common causes are that you failed to create "named.conf" (usually |
---|
463 | "C:\windows\dns\etc\named.conf") or failed to specify the directory |
---|
464 | in named.conf. |
---|
465 | |
---|
466 | options { |
---|
467 | Directory "C:\windows\dns\etc"; |
---|
468 | }; |
---|
469 | |
---|
470 | |
---|